Tag Archives: research

Debunking the “8200”, “81” and other #### ex-Israeli Army Intelligence myth

I’m a known and pretty vocal advocate of self learning, self starting, and inquisitive entrepreneurial spirit. As such, I’ve witnessed over my years in the security industry, a lot of occasions where the halo or myth surrounding some so-called “elite” units in the Israeli Army Intelligence has blinded people.
Such blindness comes from a very small percentage of people who capitalized on what used to be highly selective knowledge and experience in a narrow field of practice. But that was almost 20 years ago. Companies like Checkpoint, Nice, and Amdocs, were all started by alumni of such intelligence units, who basically applied their specific experience from the army signals intelligence unites to building firewall systems, telecom and spy/monitoring technologies.

Nowadays, the reality could not be further from this. What used to be a very specific skill-set and knowledge, is mostly open, and freely accessible to anyone with the right aptitude to pick up and master. Back in the days you had to earn your “hacker cred” in order to get access to the forums where people were sharing knowledge, today most of that “exclusive/unique” knowledge is wide open and available.

And today I ran across an article that infuriated me because of its ignorance. Enter: “The cyber labor market in Israel, the cyber guild“. In this article, the author claims, again, that the “ex-#” alumni phenomenon is filling the Israeli market and basically owning it to a point where non-guild members are shunned out. It claims that whereas information and knowledge should (or is?) open, in the guild market it matters more where you came from than what you actually know and have experience with.

I respectfully call BS on this. It’s just not the reality anymore. Yes, there is an obvious alumni network effect, but such that is just as common with other alumni organizations (think Ivy-league Universities, local schools, or any other melting-pot where people get to know one another). But the “guild” part is just wrong. It’s actually the complete opposite. After the initial success of the early founders, the “Ex-#” units basked in the glow and enjoyed a fairly long streak of alumni that only had to mention their unit’s name (or even not that – just to keep things more hush-hush) in order to nail a high-paying job. However, with such high expectations, the failures became more apparent. And then the realization – that 8200, which is the largest unit (people-wise) in the Army, does not actually employ thousands of talented programmers and hackers. That a huge percentage of it are grunt workers, pushing papers, poring over analyst reports, and operating the collection and dissemination processes and technologies. Glorified IT support in most cases. And with that, the sham evolved. The “friend brings friend” system worked most of the time when the initial friend was one of the actually few talented alumni, who brought their few talented friends. The rest ended up blowing the bubble out of proportion, and infusing the industry with the glorified IT technicians. And the industry balked fairly quickly. I have personally witnessed companies hurting and buckling under the cost of incompetent alumni recruitment, and eventually realize their mistake and quietly ditch those. I have personally interviewed tens (if not hundreds) of people, and very quickly realized (again – after making a few trust mistakes myself) that my gut feeling and personal assessment of ones personality is more consistent than their alleged history in a “famous” unit.

I have personally mentored extremely talented people who had to fight for their place, had to learn programming languages and platforms, gain their experience in the real world, and become some of the more sought after talents out there. At the same time I’ve seen the “ex-#” alumni stagnate at dead-end jobs because they could not scale beyond their alleged field of expertise. The market is highly capitalistic out there. It won’t tolerate too much of the halo effect, and albeit huge efforts in fueling that effect through several alumni organizations, and alumnus in executive positions, this doesn’t really hold. If you are looking for innovation and “thinking outside the box” maybe try to look for people who have not been indoctrinated in a very strict environment to perform a very narrow task. Look for people with broad experience, from different paths of life, who share core traits – curiosity, innovation, drive, and the ability to say “I don’t know”. That’s how the modern market operates. There is no guild. And if you are led to believe so – try to see who/what is it that gave you that impression. You’ll be quick to learn that it is mostly self-serving marketing created to favor the less talented who need to rely on riding the coattails of the successful few. Who by the way – were mostly self-taught and would have made it without having the “ex-#” experience 😉

Intelligence on Ashiyane and the Iranian Cyber Army

One of my favorite OSINT resources internet-haganah have opened up a new thread on their forums that are dedicated to Iran, called Ashiyane.

This is basically the hacker forum that I was researching a couple of years ago (see my DefCon18 talk, and here, and here).

The forum thread is here: http://forum.internet-haganah.com/showthread.php?440-Ashiyane

And an interesting intelligence profile for the group actually quotes my past research (which unlike what it may seem was NOT done as part of my reserve duty tasks in the Israeli AriForce…)

Keep up the great work guys! Truly humbled to have my work mentioned on your site.

The curious case of Dropbox security

The Dropbox logoAfter the disclosure of the host_id authentication issues that plagued the popular Dropbox service last week, a new issue came up with the fact that Dropbox can detect whether the files you are trying to upload to their cloud already exist there, and “save you the bandwidth” of uploading it if they already have a copy in hand.

So – the Dropbox client probably checks for the hash of the file being uploaded against a list of hashes of existing files that are already stored on the cloud. It may also be that the files stored online are encrypted. So… what’s the big deal?

One has to remember that when using a service such as Dropbox (and I’m an avid user myself), you clearly do not have full control over the material you upload, and the online encryption is only a fraction of the protection you may be seeking. There is no key management visible to the user. There is no way that each client you use has its own key, nor they share keys, and if they do, Dropbox is managing your keys. This also gives them the ability to decrypt your data at any given time. Subsequently, it also gives them the ability to provide you with the file of another user if you tried to upload it yourself (hence saving you the bandwidth) – for example, when you may want to access it from a client which does not have the synched copy of your account (or through the web interface). They just decrypt the other user’s file, and serve it back to you. After all – you have the same one back on your home/work/whatever PC (remember that you showed “proof” by providing the hash before).

Which brings us back to reality – what are we really exposed to here in terms of risk?

  1. Dropbox has the ability to access the contents of my files.
  2. If I can come up with a hash of a file that I know someone else has, and that file may be confidential in some way, I can potentially claim to upload the same file, and then download the real one (as I don’t really have the original) from another client or through the web interface.

Clearly, the media attention to point 1 is important – but still not really interesting as people should have had a clue when they send their files to the “cloud”.

However, point 2 makes a more interesting argument… It would be interesting to see when the first “hack” will come along which will start “uploading” files (by hacking the client protocol – hint: start here, here, and here) just based on hashes, and then downloading them as if from another client to see what you get (if they were “cached” already on the Dropbox cloud). Now that would be an interesting little experiment…

Happy hacking!

SCADA, control systems and security – not necessarily enemies

Insights from the NISA International SCADA Security Forum conference (NISA stands for National Information Security Authority, which is a division of the Israeli Security Agency).

We all know that SCADA has been considered a security nightmare for a long time. Admittedly, I only have a short experience with such systems and control systems in general (just short of two years), but the topic is fascinating. The main challenges in securing control systems from my point of view is the ability to “connect” with the domain experts and understand the systems and processes properly.
Unfortunately, we, as a security community are far from it (at least based on what I have seen in the past couple of days in the conference). The rush to force traditional IT solutions and ways of thinking onto control systems just do not work. From “learning” firewalls that monitor the industrial control protocols, to systems that are designed to ADD complexity to the threat modeling by layering network and Internet related threats to SIEM mechanisms and add the “scada” data to it. These are all solutions that are Bound to fail as they do not understand the actual needs and operational state of mind of control systems engineering.

If we take a new and unbiased look at what kind of data and processes are involved in such systems, we (as in the security community) would be thrilled to learn that there are a lot of untapped intelligence resources that would substantially help us in building a more appropriate and relevant detection and alerting mechanisms. Trying to force an IT solution on these would be an exercise in fitting a square peg into a round hole, and as exciting as that may be we all know what would be the outcome of it.

To sum things up – just as you would not pretend to know the environment of a financial or a commercial customer when approaching the task of securing it, control systems pose an ever more distinct challenge. Open up, keep the critical thinking and most of all LISTEN. You’ll find out that long before you can start pushing the “cyber” agenda, you have much to work with just with the basic data and processes already at hand, and that there is a lot of value that a security practitioner can bring to such an organization.

P.S. I’m specifically refraining from addressing any product or vendor as I do not think it’s fair to “out” them (however big or small they may be) as these have obviously been rushed to the market in an attempt to get an initial foothold in the industry. Nevertheless, I do encourage such vendors to do some more homework, and work WITH the industry rather than just try to capitalize on their existing expertise in IT and “cyber”.

Defense through Offense, and how APT fits there

I’m guessing that having “APT” in anything that goes outside for public consumption these days is mandatory, but this post actually has a good reason to do so. If you look back just one post in the past, we were discussing the new initiative to define “Penetration Testing”. The post, and the proposed standard itself really take a good look at what organizations need, and how to address such needs from a practical point of view, rather than from a compliance or a “check-box ticking” perspective.

For me this is one of the things that the security industry has done a great disservice to. It is exactly why companies are announcing that for every time they get breached, it was an advanced attack. An attack so sophisticated, that managed to stay persistent in their network and exfiltrate lots of sensitive information, that no reasonable control could have prevented or detected it. The all dreaded “APT”.

However, if you take a look at how organizations prepare themselves for such attacks you may find yourself staring at a blank page. Since regulatory compliance dictates a very basic “box checking” methodology for a very narrow and specific aspect of information security, and the product vendors on the other hand provide solutions that are “compliance oriented”, organizations are left with a very weak defense mechanisms. This is without even mentioning the biggest security gap in most organizations – the employees.

The lack of self-testing, of a real-world simulation of what an attack would look like, and how the organization would cope with, hinders most organizations from putting reasonable defenses in place. The lack of proper training, awareness campaigns, and exercises that stress out the human factor as well are leading us to a situation where even simple attacks that utilize off-the-shelf (and even FREE) attack tools, manage to go through an organizations control mechanisms with aggravating ease.

I’m looking back at what the penetration testing execution standard defines for its basic testing methodology, and I can clearly see how every element of the recent “APT” attacks would have been simulated, and probably in a more rigorous scenario. Such a test would have clearly left the tested organization with a roadmap that would bring it to a much higher security standard. And that’s the power of testing – of understanding the adversary’s techniques and strategies, and running exercises that reflect them in order to identify security gaps and close them as efficiently as possible. And yes – that also (and perhaps mainly) applies to human related processes and policies rather than just to technology.

So to sum things up – you may be compliant, but do not think for a moment that this compliance has anything to do with the security of your information. Until regulatory compliance does not mandate proper security testing in order to protect the data in question, such compliance is only going to hinder your “security vision”. Get proper testing, set up an internal team that would be responsible for understanding the threat communities you are dealing with (or hire an external one ), and make sure you set yourself a goal to have an unbiased understanding of what your gaps are and how well you can face a standard attack (yes – the same standard attack that you are going to call an “APT” if it would hit you unprepared).